b'                       UNITED STATES DEPARTMENT OP EDUCATION\n\n\n\n\n                                       NOV 1 2 2003\n\nMEMORANDUM\n\nTO:            William J. Leidinger\n               Assistant Secretary for Management and Chief Information Officer\n               Office of Management\n\n\nFROM:          Helen Lew    ffdb W\n               Assistant Inspector General for Audit\n\nSUBJECT:       Final Audit Report\n               Audit of the Accuracy and Completeness of Personnel Data\n               Control Number ED-OIGIA19-C0005\n\nAttached is our subject final report that covers the results of our audit of the accuracy and\ncompleteness of personnel data. We received your comments generally concurring with the\nfindings and recommendations in our draft audit report. Please provide the Supervisor, Post\nAudit Group, Office of the Chief Financial Officer, and the Office of Inspector General with\nquarterly status reports on promised corrective actions until all such actions have been completed\nor continued follow-up is unnecessary.\n\nIn accordance with the Freedom of Information Act (5 U.S.C. \xc2\xa7 552) reports issued by the Office\nof Inspector General are available to members of the press and general public to the extent\ninformation contained therein is not subject to exemptions in the Act.\n\nWe appreciate the cooperation given us in the review . Should you have any questions\nconcerning this report, please call Michele Weaver-Dugan at (202) 863-9526.\n\n\nAttachment\n\x0c Audit of the Accuracy and Completeness of Personnel Data \n\n\n\n\n                                 FINAL AUDIT REPORT \n\n\n\n\n\n                                            ED-OIG/A19-C0005\n                                              November 2003\n\n\nOur mission is to promote the efficiency,                      U.S. Department of Education\neffectiveness, and integrity of the                            Office of Inspector General\nDepartment\xe2\x80\x99s programs and operations.                          Operations Internal Audit Team\n                                                               Washington, DC\n\x0cStatements that managerial practices need improvements, as well as other conclusions and\nrecommendations in this report, represent the opinions of the Office of Inspector General.\n     Determinations of corrective action to be taken will be made by the appropriate\n                           Department of Education officials.\n\n\nIn accordance with the Freedom of Information Act (5 U.S.C. \xc2\xa7 552), reports issued by the\nOffice of Inspector General are available to members of the press and general public to the\n        extent information contained therein is not subject to exemptions in the Act.\n\x0c                                    TABLE OF CONTENTS \n\n\n\n                                                                                                            Page\n\n\nEXECUTIVE SUMMARY ..................................................................................... 1 \n\n\nBACKGROUND ..................................................................................................... 3 \n\n\nAUDIT RESULTS................................................................................................... 4 \n\n\n           Finding No. 1 \xe2\x80\x93 Personnel Database Information Was Not Always \n\n               Accurate or Complete.......................................................................... 4 \n\n\n                 Recommendations ............................................................................... 6 \n\n\n           Finding No. 2 \xe2\x80\x93 Personnel Database Information Was Not Always \n\n               Supported By Personnel Records........................................................ 7 \n\n\n                 Recommendations ............................................................................... 9 \n\n\n        Finding No. 3 \xe2\x80\x93 Controls Over Sensitive Data Needed Improvement........ 11 \n\n\n                 Recommendations ............................................................................. 13 \n\n\nOBJECTIVES, SCOPE, AND METHODOLOGY............................................... 14 \n\n\nSTATEMENT ON MANAGEMENT CONTROLS............................................. 16 \n\n\nATTACHMENTS: \n\nAttachment 1 \xe2\x80\x93 Results of Employee Data Confirmation Survey \n\nAttachment 2 \xe2\x80\x93 Sources of Data Fields Available for Employee Review \n\nAttachment 3 \xe2\x80\x93 Comparison of Database to Personnel File Documentation \n\nAttachment 4 \xe2\x80\x93 FPPS User Account Review by Organization \n\nAttachment 5 \xe2\x80\x93 Summary of Data Fields Reviewed \n\nAttachment 6 \xe2\x80\x93 Department\xe2\x80\x99s Response to Draft Audit Report\n\n\x0c                             EXECUTIVE SUMMARY \n\n\nThe responsibilities of the Department of Education\xe2\x80\x99s (Department) Human Resources Services\n(HRS) include establishing and maintaining staff resource information and related processing\nsystems. The Department utilizes the Federal Personnel/Payroll System (FPPS) to perform these\nfunctions. Information from FPPS is also provided to the Office of Personnel Management\xe2\x80\x99s\nCentral Personnel Data File. This information is used to generate statistics on federal employees,\nto monitor agency compliance with government-wide policies, and to make decisions on federal\npersonnel policy.\nThe objectives of our audit were to: (1) assess the accuracy and completeness of selected\ninformation in the Department\xe2\x80\x99s personnel database, and (2) evaluate how sensitive personnel\ndata is safeguarded.\nOverall, we found opportunities exist to improve the quality of personnel records and the\ncontrols over sensitive data. Our audit found that FPPS database information was not always\naccurate or complete, information contained in the FPPS database was not always supported by\npersonnel records, and controls over sensitive data needed improvement. As a result, managers\nand HRS staff did not always have appropriate data upon which to base decisions, employee\npersonnel and performance files were not always complete, FPPS users were not informed of\ntheir responsibilities with respect to use of the system, and some users had inappropriate access\nto sensitive information.\n\nTo correct the identified weaknesses, we recommend that the Department:\n\n\xe2\x80\xa2 \t Develop and implement a process to improve the accuracy of FPPS data through employee\n    review and confirmation.\n\xe2\x80\xa2 \t Monitor FPPS data for completeness and take corrective action where appropriate to identify\n    and complete missing data.\n\xe2\x80\xa2 \t Reinforce the requirements for and importance of recording and updating FPPS data to HRS\n    and Executive Office staff responsible for this task. Provide additional training as needed.\n\xe2\x80\xa2 \t Develop and implement periodic quality assurance reviews to compare FPPS data with\n    personnel record documentation to ensure all data is accurately recorded/updated and records\n    are complete.\n\xe2\x80\xa2 \t Develop a tracking mechanism to ensure that all ratings are provided timely by Executive\n    Offices and filed in Employee Performance Files.\n\xe2\x80\xa2 \t Develop and implement rules of behavior for FPPS users that include the use of a signature\n    page to acknowledge receipt and understanding of responsibilities.\n\xe2\x80\xa2 \t Develop FPPS user account monitoring procedures to ensure that Executive Offices\n    periodically review and confirm the need for user accounts within their organization.\n\nWe discussed our findings and recommendations with HRS as they were identified. HRS staff\ndeveloped and implemented corrective actions for many issues during the course of this audit.\n\n\nED-OIG/A19-C0005                             \t                                      Page 1\n\x0cIn the Department\xe2\x80\x99s written response to the draft audit report, the Office of Management (OM)\nstated that it generally concurred with our audit findings and the majority of the\nrecommendations. OM disagreed with one recommendation. As OM\xe2\x80\x99s stated corrective actions\nto other recommendations in the report will adequately address our concerns, this\nrecommendation was removed from the final audit report.\n\nIn its response, OM stated that at times our report overstated the impact and importance of some\nof the data errors. We do not agree with this statement. Our report listed the data elements that\nwere found to be inaccurate and the data users that may be affected. While we agree that\ninaccuracies in some data elements have more impact than others, we did not make this\ndistinction in the audit report. Impact statements in the audit report referred to data inaccuracies\nin general, not to specific data elements.\n\nWe summarized the Department\xe2\x80\x99s response and provided our comments to the response, where\napplicable, at the end of each respective finding. The full text of the Department\xe2\x80\x99s response is\nincluded as Attachment 6 to this report.\n\n\n\n\nED-OIG/A19-C0005                                                                      Page 2\n\x0c                                    BACKGROUND \n\n\n\nThe Department of Education\xe2\x80\x99s (Department) Human Resources Services (HRS), within the\nOffice of Management, provides leadership and direction in the formulation and implementation\nof policies and programs that promote efficient and effective personnel management. HRS\nprovides the Secretary, Deputy Secretary, and other executive level managers, with human\nresources advice and technical services that further the goals and objectives of the Department.\nHRS establishes and maintains staff resource information and processing systems that reflect\nresource utilization needs for key officials within the Department. The Department utilizes the\nFederal Personnel/Payroll System (FPPS) to perform these functions.\n\nThe Department of Interior\xe2\x80\x99s National Business Center operates FPPS for the Department of\nEducation and numerous other agencies. FPPS has different modules that allow Department\nusers to perform functions such as time and attendance or personnel transaction processing.\nHRS uses FPPS to maintain electronic personnel records for Department employees.\n\nEmployee records within FPPS consist of data fields such as name, Social Security Number,\nposition, and pay plan. Select information contained within the database is periodically\nsubmitted to the Office of Personnel Management (OPM) for use in the Central Personnel Data\nFile (CPDF). Decision makers ultimately use this information to obtain statistics on federal\nemployees, to monitor agency compliance with government-wide policies, and to make decisions\non federal personnel policy.\n\n\n\n\nED-OIG/A19-C0005                                                                   Page 3\n\x0c                                             AUDIT RESULTS \n\n\nOverall, we found opportunities exist to improve the quality of personnel information and the\ncontrols over sensitive data. Our audit found that: (1) FPPS database information was not always\naccurate or complete, (2) information contained in the FPPS database was not always supported\nby personnel records, and (3) controls over sensitive data needed improvement. As a result,\nmanagers and HRS staff did not always have appropriate data upon which to base decisions,\nemployee personnel and performance files were not always complete, FPPS users were not\ninformed of their responsibilities with respect to use of the system, and some users had\ninappropriate access to sensitive information.\n\nThe Department generally concurred with our findings and recommendations. A summary of the\nDepartment\xe2\x80\x99s response follows each finding. The full text of the response is included as\nAttachment 6 to this report.\n\n\n\nFinding No. 1 \xe2\x80\x93               Personnel Database Information Was Not Always Accurate\n                              or Complete\n\n\nThe Department\xe2\x80\x99s personnel database information was not always accurate or complete. We\nconfirmed FPPS data with a randomly selected sample of Department employees. Employees\nwere provided with confirmation forms that contained personnel information from 22\njudgmentally selected FPPS data fields. A total of 221 employees completed and returned the\nconfirmations. We found that 118 employees (53.4 percent) reported a discrepancy in at least\none data field. Thirty-five employees (15.8 percent) reported discrepancies in two or more data\nfields. The data fields with the highest error rates were: 1\n\n       \xe2\x80\xa2   Education Level \xe2\x80\x93 34.4 percent;\n       \xe2\x80\xa2   Handicap Indicator \xe2\x80\x93 10.0 percent;\n       \xe2\x80\xa2   Last Rating of Record \xe2\x80\x93 7.7 percent;\n       \xe2\x80\xa2   Date of Last Promotion \xe2\x80\x93 4.5 percent; and\n       \xe2\x80\xa2   Race/National Origin \xe2\x80\x93 4.1 percent.\n\n\n\n\n1\n    Attachment 1 contains a listing of all data fields confirmed and the corresponding error rates.\n\nED-OIG/A19-C0005                                                                                      Page 4\n\x0cWe also tested FPPS information to determine if the database contained valid, reasonable, and\ncomplete information. We evaluated the contents of the 22 selected data fields for all 4,902\nDepartment employees as of June 25, 2002. Our testing identified blank fields as follows:\n\n   \xe2\x80\xa2   Education Level \xe2\x80\x93 321 employees;\n   \xe2\x80\xa2   Date of Last Promotion - 223 employees;\n   \xe2\x80\xa2   Last Rating of Record \xe2\x80\x93 2 employees; and\n   \xe2\x80\xa2   Handicap Indicator \xe2\x80\x93 1 employee.\n\nOPM\xe2\x80\x99s The Guide to Central Personal Data File Reporting Requirements, Subchapter A.3,\nplaces responsibility for data accuracy on each agency. It states,\n\n       Data submissions from agencies participating in CPDF represent their official\n       workforce statistics. Agencies may process the data through their own systems or\n       arrange for their data to be processed by another Federal agency. Regardless of\n       the processing arrangement, each agency is responsible for collecting the data,\n       editing it for validity, accuracy, and completeness, and furnishing the data to\n       CPDF.\n\nSubchapter A.5 provides requirements for quality control of data submitted to the CPDF. This\nsection states,\n\n       Agencies are responsible for assuring that the data contained in the CPDF\n       presents an accurate and complete statistical profile of their workforce. For this\n       purpose, agencies must do quality control tests of the data they provide to CPDF\n       from their internal personnel data systems...The major thrust of the Office of\n       Personnel Management\'s quality control and assurance efforts is to assure that\n       agencies have quality control operations in place to detect and correct incorrect\n       and incomplete data before they submit the data to CPDF. The data submitted to\n       the Office of Personnel Management represents an official representation of each\n       Federal agency\'s workforce statistics. Each agency is responsible for the quality\n       of its data in the CPDF and for the statistical profile of the agency that CPDF\n       presents to the Office of Management and Budget, the Congress, the White\n       House, and other users of the CPDF.\n\nWe found that HRS did not periodically request or encourage employees to confirm personnel\ninformation to enhance the accuracy of the data. HRS staff reported that they did monitor some\ndata fields, but they did not monitor overall database information to identify incomplete data.\nHRS staff also stated that supervisors focused on limited key fields, such as Social Security\nNumber, when reviewing initial data input for new employees, and did not review the accuracy\nof all data entered.\n\nHRS staff stated that data quality reviews were conducted by OPM on CPDF submissions, and in\nthe September 2002 agency rankings the Department of Education ranked second overall in data\nquality among the 23 largest agencies. While we acknowledge that the Department has been\nranked among the agencies with the highest data quality by OPM, CPDF submissions do not\n\nED-OIG/A19-C0005                                                                   Page 5\n\x0cinclude all FPPS data. Further, the CPDF data quality reviews only ensure that fields contain\nacceptable values and do not assure that the data is accurate.\n\nData inaccuracies also existed because employees did not always review the personnel data that\nwas available to them, inform HRS of updated information (such as additional education levels\nobtained), and for certain fields, did not have sufficient information to review the data. We\nfound that information for 19 of the 22 data fields in our audit was available for employees to\nperiodically review. Sources of personnel information included Leave and Earnings Statements,\nthe Employee Express website, annual Personnel Benefits Statements, and Notification of\nPersonnel Action forms. 2 However, five data fields were presented using codes that were not\ndefined on the documents. Three other fields \xe2\x80\x93 Race/National Origin, Handicap Indicator, and\nLast Rating of Record \xe2\x80\x93 did not appear on any of the documents. As such, employees did not\nhave sufficient information to confirm data for 8 of the 22 elements we reviewed.\n\nThe need for accurate and timely information exists because personnel data is used for many\npurposes. Agency personnel staff and managers use personnel data to make decisions about\nemployees, such as whether a current employee is eligible for promotion. Personnel data is also\nused by agencies and OPM\xe2\x80\x99s Office of Workforce Information to generate statistics that provide\na wide variety of information on the Federal workforce to the President, Congress, OPM\nmanagers, agencies, and the public. This information is used to make policy decisions on\npersonnel programs that affect current and future Federal employees.\n\nIn response to the data inaccuracies identified during this audit, HRS initiated an analysis of\nrequirements for a process that would periodically encourage employees to review personnel\ndatabase information. This process would supply definitions of database codes used, and\nprovide employees with a method to refer and resolve potential inaccuracies. The proposed\nprocess would include the 22 data fields used in this audit and 6 additional data fields identified\nby HRS.\n\nDuring the course of our audit, HRS staff developed and implemented a monitoring plan to\naddress incomplete data fields. HRS is reviewing data fields for completeness and recommends\ncorrective actions to Executive Offices and Human Resources personnel as needed.\n\n\nRecommendations\n\nWe recommend the Assistant Secretary for Management and Chief Information Officer:\n1.1 \t Develop and implement a process to improve the accuracy of data through employee\n      review and confirmation. The process should periodically encourage employees to review\n      personnel database information, supply definitions of database codes used, and provide\n      employees with a method to refer and resolve potential inaccuracies.\n\n\n\n2\n A complete listing of the data element values available to employees in each of these sources is presented in\nAttachment 2.\n\nED-OIG/A19-C0005                                      \t                                            Page 6\n\x0c1.2 \t Continue to monitor FPPS data for completeness and take corrective actions where\n      appropriate to eliminate incomplete data.\n\n1.3 \t Ensure that data discrepancies identified by Department employees on the data\n      confirmation forms provided during the audit are reviewed and appropriate corrective\n      actions are taken.\n\nDepartment of Education Response\n\nThe Department generally agreed with the recommendations made and provided information on\nactivities taken or planned to implement corrective actions.\n\nOffice of Inspector General Comments\n\nThe Department\xe2\x80\x99s proposed corrective actions are generally responsive to our recommendations.\nThe Department stated that corrective action to recommendation 1.1 is dependent on the future\navailability of funds. Specifically, the Department states this task cannot be completed through\nthe use of current HRS staff or contracts and concludes that additional contract support will be\nneeded to accomplish this task. Although the plan itself is responsive, the actual implementation\nof the plan is not certain. We will monitor the timeframes and actions proposed by the\nDepartment in the corrective action plan submitted during audit resolution.\n\n\n\n\nFinding No. 2 \xe2\x80\x93            Personnel Database Information Was Not Always \n\n                           Supported by Personnel Records \n\n\n\nInformation contained in the FPPS database was not always supported by documentation\nmaintained in personnel records. We compared FPPS data to documents in the Official\nPersonnel Files and Employee Performance Files of 75 randomly selected employees. We made\nthis comparison for 19 of the 22 data elements used in the employee confirmations.3 Our sample\nwas limited to employees serviced by HRS staff in Washington, DC.\n\nWe found the database information for at least one field was not supported in personnel records\nfor 37 of 75 employees (49.3 percent). The data fields that were not supported through available\ndocumentation were as follows: 4\n\n             \xe2\x80\xa2    Last Rating of Record \xe2\x80\x93 29.3 percent;\n             \xe2\x80\xa2    Educational Level \xe2\x80\x93 25.3 percent;\n\n3\n  We were unable to confirm data for the Race/National Origin and Handicap Indicator fields because\ndocumentation related to these fields was destroyed in accordance with OPM guidance. We did not attempt to\nconfirm Official Mailing Address data because that information can be changed through the Employee Express\nwebsite without creating a related source document.\n4\n  Attachment 3 contains a listing of all data fields compared to personnel records and the corresponding error rates.\n\nED-OIG/A19-C0005                                      \t                                              Page 7\n\x0c           \xe2\x80\xa2 \t Annual Pay \xe2\x80\x93 4.0 percent;\n           \xe2\x80\xa2 \t Veterans\xe2\x80\x99 Status \xe2\x80\x93 1.3 percent; and\n           \xe2\x80\xa2 \t Pay Plan, Grade & Step \xe2\x80\x93 1.3 percent\n\nOPM\xe2\x80\x99s The Guide to Processing Personnel Actions, Subchapter 1-7.b, outlines the need for\naccuracy in personnel data. It states:\n\n       To protect the interests of the employee and the Government it is critical that\n       personnel actions be documented correctly and that data on each action discussed\n       in this guide is reported to the Office of Personnel Management\xe2\x80\x99s Central\n       Personnel Data File accurately and on a timely basis....\n\nOPM\'s The Guide to Personnel Recordkeeping, Chapter 1, states,\n\n   Agencies should have management controls to ensure that personnel records:\n         \xe2\x80\xa2 \t Adequately document human resource management operations;\n         \xe2\x80\xa2 \t Are accurate and timely;\n         \xe2\x80\xa2 \t Are protected against loss or unauthorized alteration;\n         \xe2\x80\xa2 \t Document the employment history of individuals employed by the Federal\n             Government;\n         \xe2\x80\xa2 \t Can be located when necessary; and\n         \xe2\x80\xa2 \t Are retained and disposed of as required by General Records Schedule 1.\n\nChapter 3 of the guide states,\n\n       Records are filed in the Official Personnel Folder to document events in an\n       individual\xe2\x80\x99s Federal employment history that have long-term consequences for\n       the employee and the Government. Care should be exercised in filing documents\n       correctly to ensure that all documents pertaining to an employee\'s rights and\n       benefits are available in the personnel folder when needed.\n\nFPPS data was not supported by documentation for several reasons. We found that information\nsubmitted by employees was not always accurately recorded in the database. In some cases,\ndocumentation in files that dated to the employees\xe2\x80\x99 initial employment with the Department was\nnot always reflected in FPPS. We determined that 11 of the 19 errors identified in the Education\nLevel field related to information that was available upon the employee\xe2\x80\x99s start with the\nDepartment, (e.g. information on the employee\xe2\x80\x99s initial application to the Department). As\npreviously stated in Finding 1, HRS supervisors performed only a limited review of the data\nrecorded when the Department initially hired an employee. Supervisors reviewed only key fields\nsuch as an employee\xe2\x80\x99s Social Security Number, not all data entered.\n\nWe also found that updated documentation submitted by employees was not always reflected in\nthe database. We identified eight instances where the Education Level database values did not\nagree with documentation that was submitted by the employee subsequent to their initial\nemployment with the Department. HRS staff stated that FPPS did not require completion of\nfields such as Education Level when processing actions for reassignment or promotions within\n\nED-OIG/A19-C0005                            \t                                    Page 8\n\x0cthe Department. As such, data provided by the employees in applications submitted for these\npositions was not reviewed for new data and FPPS data was not updated.\n\nIn addition, appropriate supporting documentation was not always included in the files. For\nexample, Official Personnel Files did not include the most current SF-50, \xe2\x80\x9cNotification of\nPersonnel Action,\xe2\x80\x9d or other information to support annual pay data in FPPS in 3 of 75 files\nreviewed. We also found that 22 of 75 Employee Performance Files did not contain the Last\nRating of Record. HRS staff stated that Principal Offices did not always provide rating of record\ndocumentation as required.\n\nFinally, HRS staff did not conduct periodic reviews of samples of employee files to ensure that\nFPPS data reflected information contained in personnel records.\n\nAs a result, some data elements used by decision makers to process personnel actions, obtain\nstatistics on federal employees, monitor agency compliance with government wide policies, and\nmake decisions on federal personnel policy were not accurate or were not supported by source\ndocumentation. In addition, employee personnel and performance files were not complete.\nMissing documentation in employee files could lead to errors or confusion when future\npersonnel actions are taken.\n\nIn response to the information provided during our audit, HRS staff stated that they have\nexpanded the supervisory review of FPPS data input, plan to conduct quality assurance reviews\nthat compare FPPS data with file documentation, and have started to outline requirements for an\nautomated tracking system to ensure that all ratings are received timely and are included in\nEmployee Performance Files. HRS staff stated that they are currently generating and distributing\nRating of Record submission reports on a monthly basis to reinforce the importance of providing\nthis information. These reports are provided to each Principal Office and the Assistant Secretary\nfor Management.\n\n\nRecommendations\n\nWe recommend the Assistant Secretary for Management and Chief Information Officer:\n\n2.1 \t Reinforce the requirements for and importance of recording and updating FPPS data to\n      HRS and Executive Office staff responsible for this task, including providing additional\n      training as needed.\n\n2.2 \t Develop and implement periodic quality assurance reviews of samples of personnel records\n      to compare FPPS data with documentation to ensure all data is accurately recorded and\n      updated, and personnel and performance records are complete.\n\n2.3 \t Develop a tracking mechanism to ensure that all ratings are provided timely by Principal\n      Offices and filed in Employee Performance Files.\n\n\n\n\nED-OIG/A19-C0005                             \t                                     Page 9\n\x0cDepartment of Education Response\n\nThe Department agreed with the finding and three of the four recommendations contained in the\ndraft report. The Department provided information on activities taken or planned to implement\ncorrective actions.\n\nThe Department disagreed with the draft recommendation to:\n\n       Ensure that updated information provided by employees, such as information provided\n       with applications for reassignment or promotion, is also updated in FPPS.\n\nThe Department stated that adding additional records review requirements based on resumes or\nother applications would not be efficient or effective and could lead to unsupported data updates.\nThe Department noted that the proposed corrective action for recommendation 1.1 would more\neffectively address this condition.\n\nOffice of Inspector General Comments\n\nThe Department\xe2\x80\x99s proposed corrective actions are generally responsive to our recommendations.\nWe considered the response provided by the Department and removed the recommendation in\nquestion. We agree that the proposed corrective action in response to recommendation 1.1, if\neffectively implemented, appears responsive to improve overall FPPS data quality. In addition,\nthe quality assurance reviews proposed to address recommendation 2.2 will also improve FPPS\ndata quality.\n\nThe Department stated in its response that a manual tracking mechanism was currently in place\nto ensure that all ratings are provided timely by Principal Offices and filed in Employee\nPerformance Files. However, the sample tracking report provided with the Department\xe2\x80\x99s\nresponse only included ratings entered into FPPS. There was no tracking report to ensure hard\ncopy ratings were placed in Employee Performance Files. We determined in our audit that this\nparticular mechanism was not effective for ensuring that all ratings were provided and filed, as\n22 of the 75 Employee Performance Files we reviewed did not contain the Last Rating of\nRecord. We continue to recommend that the Department develop and implement a tracking\nsystem to ensure that all ratings are provided and filed in Employee Performance files. We will\nmonitor the actions proposed by the Department in the corrective action plan submitted during\naudit resolution.\n\n\n\n\nED-OIG/A19-C0005                                                                  Page 10\n\x0cFinding No. 3 \xe2\x80\x93 Controls Over Sensitive Data Needed Improvement\n\n\nWe determined that certain controls over sensitive data could be improved. Specifically, we\nnoted that rules of behavior for FPPS users had not been developed, and user access was not\neffectively monitored. The interests of the Department, Office of Management, system users,\nand employees could be better protected through enhancements in these areas.\n\nRules of Behavior Had Not Been Developed\n\nWe found that rules of behavior had not been developed for FPPS users. The Privacy Act of\n1974 as amended, (5 U.S.C. 552a), \xc2\xa7 552a(e)(9), states Agencies shall,\n\n       [E]stablish rules of conduct for persons involved in the design, development,\n       operation, or maintenance of any system of records, or in maintaining any record,\n       and instruct each such person with respect to such rules and the requirements of\n       this section, including any other rules and procedures adopted pursuant to this\n       section and the penalties for noncompliance.\n\nOMB Circular A-130, \xe2\x80\x9cManagement of Federal Information Resources,\xe2\x80\x9d Appendix III,\n\xc2\xa7 (3)(b)(2)(a), includes as a control for major applications the establishment of rules of the\nsystem. The circular requires that agencies:\n\n       Establish a set of rules concerning use of and behavior within the application.\n       The rules shall be as stringent as necessary to provide adequate security for the\n       application and the information in it. Such rules shall clearly delineate\n       responsibilities and expected behavior of all individuals with access to the\n       application. In addition, the rules shall be clear about the consequences of\n       behavior not consistent with the rules.\n\nThe need for rules of behavior was also identified in an FPPS risk assessment completed in June\n2002. That report recommended that the Department develop written rules of behavior for FPPS\nto clearly define the expected behavior of all users, including a signature page that acknowledges\nreceipt and understanding of behavior responsibilities and compliance with the stated rules. The\nDepartment\xe2\x80\x99s response to the report stated that corrective action would be completed as of\nOctober 29, 2002. However, the rules of behavior had not been implemented as of July 2003.\nHRS staff stated that rules of behavior had been developed, but they were awaiting the review\nand approval of executive management before they could be implemented.\n\nSince the rules of behavior had not been implemented, the potential weakness identified in the\nJune 2002 risk assessment still existed. That report concluded that users lacking knowledge of\nrequired security rules might take actions that allow a direct threat to exploit the system. Users\nwere not informed of their responsibilities to protect sensitive data contained in the system.\nFurther, failure to take action to ensure that the findings of audits and other reviews are promptly\n\nED-OIG/A19-C0005                                                                    Page 11\n\x0cresolved represents an internal control weakness as defined in the General Accounting Office\n(GAO) Standards for Internal Control in the Federal Government.\n\nFPPS User Access Was Not Effectively Monitored\n\nWe also determined that FPPS user access was not effectively monitored. With the assistance of\nDepartment Executive Offices,5 we reviewed the need for 1,123 FPPS users as of February 25,\n2003. The Executive Offices responded that access for 103 users (9.2 percent) should be deleted.\n\nThe Privacy Act, \xc2\xa7 552a(e)(10), states Agencies shall,\n\n        [E]stablish appropriate administrative, technical and physical safeguards to insure\n        the security and confidentiality of records and to protect against any anticipated\n        threats or hazards to their security or integrity which could result in substantial\n        harm, embarrassment, inconvenience, or unfairness to any individual on whom\n        information is maintained.\n\nThe Privacy Act, \xc2\xa7 552a(b), also states,\n\n        No agency shall disclose any record which is contained in a system of records by\n        any means of communication to any person, or to another agency, except pursuant\n        to a written request by, or with the prior written consent of, the individual to\n        whom the record pertains, unless disclosure of the record would be,\n\n        (1) to those officers and employees of the agency which maintains the record who\n        have a need for the record in the performance of their duties\xe2\x80\xa6\n\nChapter 1 of OPM\'s The Guide to Personnel Recordkeeping states,\n\n        Access to personnel records subject to the Privacy Act should be limited to those\n        whose official duties require such access. This limitation applies to paper,\n        microfiche/microfilm, and electronic records.\n\nMonitoring of FPPS users is the responsibility of Executive Office staff within the various\nDepartmental organizations. Organization staff are responsible for the initial authorization of\nuser accounts and deleting users when access is no longer required. HRS staff performed limited\nreviews of user activity by reviewing periodic reports and directly contacting users who either\ndid not access the system or did not do so frequently to determine if access is still required.\nHowever, these reviews did not involve input from Executive Offices who authorize system\naccess for the users. Users who wanted to maintain inappropriate access could respond that they\nstill needed access to the system.\n\n\n\n\n5\n This included Principal Offices and Independent Organizations affiliated with the Department of Education. See\nAttachment 4 for a list of the organizations included in this review and the results for each organization.\n\nED-OIG/A19-C0005                                                                               Page 12\n\x0cUser monitoring in place within Departmental organizations and HRS did not effectively remove\nusers when access was no longer required. As a result, individuals who were no longer valid\nFPPS users had inappropriate access to a system containing sensitive information.\n\nIn response to the issues identified during our audit, HRS staff stated that rules of behavior for\nFPPS would be implemented. In addition, HRS staff stated that they have developed procedures\nto ensure that Executive Offices periodically review and confirm the need for user accounts.\nHRS staff contacted Executive Offices and reported that 88 of the 103 accounts identified in our\naudit had been deleted as of July 2003.\n\n\nRecommendations\n\nWe recommend that the Assistant Secretary for Management and Chief Information Officer:\n\n3.1 \t Develop rules of behavior for FPPS users that include the use of a signature page to\n      acknowledge receipt and understanding of behavior responsibilities. Ensure that all current\n      FPPS users complete the developed form, and that a process is implemented to ensure all\n      new users sign the forms prior to obtaining access to the system.\n\n3.2 \t Develop FPPS user account monitoring procedures to ensure that Executive Offices\n      periodically review and confirm the need for user accounts within their organization.\n\n3.3 \t Ensure that those users identified as not needing access to FPPS are deleted.\n\nDepartment of Education Response\n\nThe Department agreed with the recommendations made and provided information on activities\ntaken or planned to implement corrective actions.\n\n\n\n\nED-OIG/A19-C0005                             \t                                    Page 13\n\x0c             OBJECTIVES, SCOPE, AND METHODOLOGY\n\n\nThe objectives of our audit were to:\n\n   1. \t Assess the accuracy and completeness of selected information in the Department\xe2\x80\x99s\n        personnel database; and\n   2. \t Evaluate how sensitive personnel data is safeguarded.\n\nTo accomplish our objectives, we obtained an understanding of the controls in place at the\nDepartment over FPPS data accuracy and completeness, and the safeguards over sensitive data in\nFPPS and in hard copy personnel records. We reviewed applicable laws and regulations,\nDepartment policies and procedures, GAO Standards for Internal Control in the Federal\nGovernment, and National Institute of Standards and Technology publications. Since the FPPS\napplication is operated by the Department of Interior, we reviewed that agency\xe2\x80\x99s policies,\nprocedures and reports regarding the system. We also gained an understanding of controls in\nplace at the Department of Education through interviews with HRS staff, observations, and\nreview of applicable documentation.\n\nTo perform our audit, we judgmentally selected 22 FPPS data fields to assess the accuracy and\ncompleteness of employee data. The fields were selected based on a 1998 review conducted by\nthe GAO on the accuracy of the CPDF maintained by OPM. We obtained a download of the\ndata in these fields for the 4,902 Department employees as of June 25, 2002. To ensure the\ncompleteness of the data received, we reconciled the employees listed in the FPPS download\nwith payroll records for the pay period ending June 15, 2002.\n\nWe also conducted data validity testing, confirmed data with employees, and compared data to\nsource documentation. See Attachment 5 for fields involved in the various data testing\nperformed. Based on these tests and assessments, we concluded that the data were sufficiently\nreliable to be used in meeting the audit\xe2\x80\x99s objectives. Details of the data testing and\nconfirmations follow:\n\n   \xe2\x80\xa2 \t Data Validity Testing \xe2\x80\x93 We conducted validity testing for the universe of 4,902\n       Department employees as of June 25, 2002. This process reviewed data fields for blank\n       values, and reviewed certain data fields, such as date of birth and service computation\n       date, for reasonableness. (See Finding 1 for discussion of results of this review.)\n\n   \xe2\x80\xa2 \t Data Confirmation Survey \xe2\x80\x93 We confirmed FPPS data with a randomly selected sample\n       of Department employees. A total of 221 employees completed confirmation forms for\n       the information contained in the database as of June 25, 2002. In this review, we defined\n       errors as responses from employees that indicated at least one element in the database\n       was incorrect. We followed up with employees as necessary to clarify responses and to\n       obtain additional information. (See Finding 1 for results of this confirmation.)\n\nED-OIG/A19-C0005                            \t                                   Page 14\n\x0c    \xe2\x80\xa2 \t Comparison of Database Information to Source Documentation \xe2\x80\x93 We compared\n        database information to corresponding source documentation maintained in Official\n        Personnel Folders and Employee Performance Files. To complete this review, we\n        selected a random sample of 75 individuals serviced by HRS staff in Washington, DC,\n        from the universe of 3,131 such employees as of June 25, 2002. In this review, we\n        defined an error as a value found in the database that was not the same value identified in\n        applicable source documentation, or a value that could not be supported due to the\n        absence of applicable source documentation. (See Finding 2 for results of this\n        comparison.)\n\nTo evaluate the appropriateness of user accounts on FPPS, we obtained a listing of all users on\nthe system as of February 25, 2003. We referred the list of users to Department Executive\nOfficers to determine if individuals with FPPS user accounts currently required system access.\nWe validated 1,123 of the total 1,353 user accounts as of February 25, 2003.6 We considered a\nuser account to be in error if an organization indicated the account was not required as of the date\nthe account listing was generated. (See Finding 3 for results of this analysis.)\n\nWe performed our fieldwork at applicable Department of Education offices in Washington, DC,\nfrom April 2002 through July 2003. We held an exit conference with Department management\non July 22, 2003. Our audit was performed in accordance with generally accepted Government\nAuditing Standards appropriate to the scope of the review as described above.\n\n\n\n\n6\n  Accounts not verified represent those assigned to the Office of Management that were not referred, and user\naccounts from other organizations for which a response was not received. The total number of accounts includes\ninstances where an individual was cited as a FPPS user for multiple physical locations.\n\nED-OIG/A19-C0005                                    \t                                          Page 15\n\x0c             STATEMENT ON MANAGEMENT CONTROLS \n\n\nAs part of our review, we assessed the system of management controls, policies, procedures, and\npractices applicable to HRS\xe2\x80\x99 administration of the personnel database and its related information.\nOur assessment was performed to determine the level of control risk for determining the nature,\nextent, and timing of our substantive tests to accomplish the audit objectives.\n\nFor the purpose of this report, we assessed and classified the significant controls into the\nfollowing categories:\n\n   \xe2\x80\xa2   Accuracy and completeness of personnel data, and\n   \xe2\x80\xa2   Safeguarding of sensitive personnel data.\n\nBecause of inherent limitations, a study and evaluation made for the limited purpose described\nabove would not necessarily disclose all material weaknesses in the management controls.\nHowever, our assessment disclosed management control weaknesses that adversely affected the\naccuracy and completeness of FPPS data and personnel records, and the effectiveness of the\nDepartment\xe2\x80\x99s process for safeguarding sensitive information. These weaknesses and their effects\nare fully discussed in the AUDIT RESULTS section of this report.\n\n\n\n\nED-OIG/A19-C0005                                                                    Page 16\n\x0c             Attachment 1: Results of Employee Data Confirmation Survey\n\n\n\n\n                                                                    Percentage of Respondents\n                                                                     That Identified Errors In\n                                       Category                               Data\n\n                  1    Name                                                       0.0%\n                   2   Official Mailing Address                                   3.2%\n                   3   Social Security Number                                      0.0%\n                   4   Date of Birth                                               0.9%\n                   5   Sex                                                         0.0%\n                   6   Education Level                                            34.4%\n                   7   Race/National Origin                                        4.1%\n                   8   Handicap Indicator                                         10.0%\n                   9   Veterans\' Preference                                       1.8%\n                  10   Veterans\' Status                                           2.3%\n                  11   Official Duty Station                                       0.5%\n                  12   Principal Office Code                                       0.5%\n                  13   Pay Plan, Grade & Step7                                    0.0%\n                  14   Date of Last Promotion                                      4.1%\n                  15   Annual Pay, Including Locality Pay                          0.0%\n                  16   Position Title                                              0.9%\n                  17   Occupational Series                                         0.5%\n                  18   Service Computation Date                                    0.5%\n                  19   Work Schedule                                               0.0%\n                  20   Last Rating of Record                                       7.7%\n                  21   Retirement Plan                                             0.9%\n                  22   Annuitant Indicator                                        1.4%\n\n\n\n\n7\n    Pay Plan, Grade, and Step are separate data elements that were combined for ease of reference.\n\x0c     Attachment 2: Sources Of Data Fields Available for Employee Review\n\n\n\n\n                                   Leave and                           Personnel        Notification of\n                                   Earnings           Employee          Benefits         Personnel\n     Data Element                  Statement           Express         Statement           Action\n\n1    Name                               X                 X                 X                 X\n2    Official Mailing Address           X                 X                 X\n3    Social Security Number8            X                 X                 X                 X\n4    Date of Birth                                                          X                 X\n5    Sex                                                                                      X\n6    Education Level                                                                          X\n7    Race National Origin\n8    Handicap Indicator\n9    Veterans\xe2\x80\x99 Preference                                                                     X\n10   Veterans\xe2\x80\x99 Status                                                                         X\n11   Official Duty Station                                                                    X\n12   Principal Office Code                                                                    X\n13   Pay Plan, Grade, & Step            X                 X                                   X\n14   Date of Last Promotion                                                                   X\n15   Annual Pay, Including              X                 X                                   X\n     Locality Pay\n16   Position Title                                                                           X\n17   Occupational Series                                                                      X\n18   Service Comp. Date                                   X                 X                 X\n19   Work Schedule                                                                            X\n20   Last Rating of Record\n21   Retirement Plan                    X                 X                 X                 X\n22   Annuitant Indicator                                                                      X\n\n\n\n\n8\n As of January 2003, the employee\xe2\x80\x99s full Social Security Number was no longer presented in the Leave and\nEarnings Statement.\n\x0cAttachment 3: Comparison of Database to Personnel File Documentation\n\n\n\n\n                                              Percentage of Errors\n                                               Between Supporting\n                                           Documentation and Database\n                         Category                 Information\n\n     1    Name                                       0.0%\n     2    Official Mailing Address               Not Confirmed\n     3    Social Security Number                      0.0%\n     4    Date of Birth                               0.0%\n     5    Sex                                         0.0%\n     6    Education Level                            25.3%\n     7    Race/National Origin                   Not Confirmed\n      8   Handicap Indicator                     Not Confirmed\n     9    Veterans\' Preference                       0.0%\n     10   Veterans\' Status                           1.3%\n     11   Official Duty Station                       0.0%\n     12   Principal Office Code                       0.0%\n     13   Pay Plan, Grade & Step                      1.3%\n     14   Date of Last Promotion                      0.0%\n     15   Annual Pay, Including Locality              4.0%\n     16   Position Title                              0.0%\n     17   Occupational Series                         0.0%\n     18   Service Computation Date                    0.0%\n     19   Work Schedule                               0.0%\n     20   Last Rating of Record                      29.3%\n     21   Retirement Plan                             0.0%\n     22   Annuitant Indicator                        0.0%\n\x0c        Attachment 4: FPPS User Account Review by Organization\n\n\n\n\n                                                                   Accounts Percent\n                                                                   Identified Identified\n                                                          Accounts    for        for\n              Organization                                Reviewed Deletion Deletion\n\nNational Assessment Governing Board                           9         0        0.0%\nNational Commission on Libraries and Info. Sciences            4        0        0.0%\nNational Institute for Literacy                                4        0        0.0%\nOffice of English Language Acquisition                        12        3       25.0%\nOffice of the Chief Financial Officer                         56        9       16.1%\nOffice of the Chief Information Officer                       20        5       25.0%\nOffice for Civil Rights                                      107       15       14.0%\nOffice of the Deputy Secretary                                11        0        0.0%\nOffice of Educational Research and Improvement                31        5       16.1%\nOffice of Elementary and Secondary Education                  47        4        8.5%\nOffice of the General Counsel                                 27        0        0.0%\nOffice of Inspector General                                  128        0        0.0%\nOffice of Intergovernmental and Interagency Affairs          47         4        8.5%\nOffice of Legislation and Congressional Affairs                5        0        0.0%\nOffice of Postsecondary Education                            64        13       20.3%\nOffice of the Secretary                                      26         4       15.4%\nOffice of Safe and Drug Free Schools                          10        0        0.0%\nOffice of Special Education and Rehabilitative Services      103        3        2.9%\nOffice of the Under Secretary                                 15        0        0.0%\nOffice of Vocational and Adult Education                      34        6       17.6%\nFederal Student Aid                                          363       32        8.8%\n\nTotal                                                       1,123      103      9.2%\n\x0c         Attachment 5: Summary of Data Fields Reviewed\n\n\n\n\n                                                           Comparison of\n                                 Limited     Employee          Data to\n                                  Data         Data        Documentation\n                                 Validity   Confirmation   from Personnel\n           Data Element          Testing      Survey          Records\n\n1    Name                           *            *               *\n2    Official Mailing Address       *            *\n3    Social Security Number         *            *               *\n4    Date of Birth                  *            *               *\n5    Sex                            *            *               *\n6    Education Level                *            *               *\n7    Race/National Origin           *            *\n8    Handicap Indicator             *            *\n9    Veterans\xe2\x80\x99 Preference           *            *               *\n10   Veterans\xe2\x80\x99 Status               *            *               *\n11   Official Duty Station          *            *               *\n12   Principal Office Code          *            *               *\n13   Pay Plan, Grade, and Step      *            *               *\n14   Date of Last Promotion         *            *               *\n15   Annual Pay, Including          *            *               *\n     Locality Pay\n16   Position Title                 *            *               *\n17   Occupational Series            *            *               *\n18   Service Computation Date       *            *               *\n19   Work Schedule                  *            *               *\n20   Last Rating of Record          *            *               *\n21   Retirement Plan                *            *               *\n22   Annuitant Indicator            *            *               *\n\x0c                                                                                                              Attachment 6\n\n                                  UNITED STATES DEPARTMENT OF EDUCATION\n\n                                                       omCE OF MANAGEMENT\n\n\n                                                            OCT\nTO:                Michele Weaver-Dugan, Director\n                   Operations Internal Audit Team\n                   Office of the Inspector General\n\nFROM:              William J. Leidinge(  \\ \\}--\xc2\xad\n                   Assistant Secretary WanagementlChief\n                   Infomlation Officer\n\nSUBJECT:           Response to Draft Audit Report\n                   Audit of the Accuracy and Completeness of Personnel Data\n                   Control Number ED-OIGI A 19-C0005\n\n\nI appreciate the opportunity to respond to the draft audit report on the accuracy and completeness\nof personnel data (reference your lett er of August 12,2003). In general, we concur with the\nfindings and the majority of the recommendati ons contained in the report. However, at times the\nreport overstates the impact and importance of so me of the data errors. While 100 percent\naccuracy and comp leteness of personnel data is desirable, limitations on resources make it more\nappropriate to focu s our corrective efforts where th ey are most needed, versus on those areas\nhavin g little or no impact on the employment of individual s or the Department \'s management of\nhuman capita l. For examp le, once an individual is hired, education levels are not used for\nanything other than demographic information ; these errors and omi ssions have very limited\nimpact. On th e other hand, missing ratings of record cou ld have serious consequences, should\nthe Department need to take a perfomlance-based acti on or run a reduction -in-force .\n\nEven though we occasionall y disagree with the report\'s emphasis, we appreciate the intent of the\naudit to assist the Department in better managing its human capital. A discussion of the\nindividual findings and recommendations contained in th e draft report follows.\n\nFinding No.1 \t               Personnel Database Information Was Not Always Accurate or\n                             Complete\n\nWe concur with the finding and recommendations.\n\n1.1 \t     "Develop and implement a process to improve the accuracy of data through employee\n          review and confirmation. The process should periodically encourage employees to\n          review personnel database information, supply definitions of database codes used, and\n          provide employees with a method to refer and resolve potential inaccuracies."\n\n\n                                  400 MARYLAND AVE., SW. WASHINGTON. O.c. 20202-4500\n                                                          www.cd .gov\n        Our mission is 10 ensure equol access 10 education (lnd 10 promote educarional excellence ,hrougholltlhe Nation.\n\x0cPage 2 - Michelle Weaver-Dugan\n\n        Corrective Action: Contingent on the availability of funds for contractor support, the\n        Office o f Mana gement (OM), Human Resources Serv ices (HRS), will institute a biennial\n        employee review of se lected data elements to be cont ained in a single brief clear-text\n        report produced fTOm th e FPPS system . The report will be deli vered via e- mail or a web\xc2\xad\n        enabled rev iew process. Employees will review data, input changes they believe to be\n        accurate and submit those rev isions for rev iew by contractor personnel or HRS\n        specia li sts, as appropriate. After resolution , contractor personnel will update the\n        personnel dat abase accordingly. This process will survey every employee in the\n        Department once every two years.\n\n        Changes or correction s indicated to handi cap/di sability conditi on or race and national\n        origin data will be referred by th e contractor to OMfManagement Services, EEO Group,\n        for appropriate action and integration into the Department \'s annual report ing of such data\n        to the Equal Employmen t Opportunity Commi ssion.\n\n        Note that thi s data veri fi cati on survey effort will involve significant resources.\n        Furthermore, OM is awaiting the outcome of the competiti ve sourcing process th at wi ll\n        dramati cally affect the availability ofHRS manpower. Future HRS staff or contractors in\n        place after the Hum an Resources competitive sourcing decision is made will not be able\n        to take on thi s add itional task. It is beyond the scope of th e Human Resources Statement\n        of Work (SOW), and neither government nor contractor serv ice providers will have the\n        Oexib ility to add thi s work load without additional resources. The current staff and\n        contract support in the HRS Systems Team is also not sufficient to accompli sh this task.\n\n        The on ly practical so luti on to accomplish thi s ongoing and ex tensive review process is\n        with contract support. We will have to look into funding this project and amending the\n        SOW for the Human Resources Informati on Managemen t Systems support when it\n        comes up for renewal in April 2004.\n\n1.2 \t   " Continue to monitor rrrs data for completeness and take corrective actions where \n\n        appropriate to eliminate incompl ete data." \n\n\n        Corrective Action: 1 Source Consulting (l -SC) and the HRS Systems Team developed\n        and instituted monthly procedures to monit or FPPS data for completeness. The results of\n        these procedures are automated reports, id entifyin g where corrective actions are needed ,\n        that are sent to Executi ve Officers and OMfHRS Team Leaders. The following data\n        elements are monitored: Education Level, RacefNati onal Origin, Hand icap Indi cator, Last\n        Rating of Record, Date of Last Promotion, Competitive Level Code, Special Program ID\n        and vacancy.\n\n1.3     "Ensure that data di screpancies id entified by Department employees on the data \n\n        confinnation forms provided during the audit are reviewed and appropriate corrective \n\n        actions are taken ."\n\n        Corrective Action: OMfHRS is reviewing and correcting discrepancies identifi ed by\n        Department emp loyees on the data confinnati on fonns.\n\x0cPage 3 - Mi chell e Weaver-Du gan\n\nFinding No.2 \t         Personnel Database Information Was Not Always Supported by\n                       Personnel Records\n\nWe concur with the findin g and all recommend ations except for recommend ation 2.2. See\ndi scussion, below.\n\n2. 1    " Reinforce the requirements for and importance of recordin g and upd atin g FPPS data to\n        HRS and Executive Offi ce staff responsible for thi s task, including providing additi onal\n        training, as needed."\n\n        Corrective Action: OMIHRS will continu e to generate reports and take acti ons to\n        reinforce the import ance of recording and updating FPPS to HRS and Executi ve Office\n        staff. Fo r exampl e, to dea l with ratings of record, durin g th e end of the rating cyc le\n        OMIHR S generates a Rating of Record data accuracy report, by Principal Offi ce (PO),\n        and provides thi s infornl ati on to th e Director, HRS, and the Empl oyee Relations Team\n        Leader. These two key offi cials take appropri ate acti on to ensure staff within HRS and\n        Executi ve Offi ces are aware of th eir respon sibiliti es with regard to EDPAS ratings. Our\n        response to recommend ati on 1.2 of thi s document further cl arifies OM \'s correcti ve\n        action s for thi s recomm endati on. OMIHRS reinforces the requirements for and\n        import ance of recordin g and upd ating FPPS data to internal and Executive Offi ce staff\n        and provides training, as needed. For ex ample, see the chart that was provid ed to\n        Executi ve Offi cers and th e EMT regarding ratin gs on fil e in the FFPS system\n        (A tt aclunent I). OM/HRS also sent an e-mail remind er to Executive Offi cers about\n        forwa rdin g hardcopy performance pl ans and rating doc um ent s to HRS for filin g in the\n        Employee Perfonn ance Fold er (EPF) (Att.achment 2)\n\n2.2 \t   "Ensure that updated informati on prov ided by empl oyees, such as inform ation provided\n        with appli cati ons for reassignment or promotion, is also updated in FPPS"\n\n        \\Ve disagree with this recommendation. Adding additi onal records revi ew\n        requirements on th e staffin g teams to update empl oyee records based solely on EdHires\n        resum es or other applicati ons would not be effi cient or effecti ve. Since additional\n        document ation is often needed to update data in the system, thi s wo uld slow the work of\n        the staffin g teams or would lead to un supported data upd ates. The corrective acti on\n        proposed for recomm end ati on 1.1 will address the probl em more effectively.\n\n2.3 \t   " Develop and implement periodic quality assurance reviews of samples of personnel\n        records to compare FPPS data with documentation to ensure all data is accurately\n        recorded and upd ated, and personnel and perform ance records are complete."\n\n        Corrective Action: OPF contractor will conduct semi-annual quality assurance revi ews\n        utilizing sampl es of personn el records to compare FPPS data with docum ent ation to\n        ensure all data is accurately recorded/ updated and records are compl ete. An addendum\n        will be added to the SOW for the Offi cial Personnel Record s Management Contract the\n        nex t tim e it comes up for renewal in March 2004.\n\x0c.. \n\n   Page 4 - Michelle Weaver-Dugan\n\n   2.4 \t   "Develop a tracking mechanism to ensure that all ratings are provided timely by Principal\n           Offices and filed in Employee Performance Files."\n\n           Corrective Action: There is currently a manual tracking mechanism in place to ensure\n           that all ratings are provided timely by Principal Offices (Pos) and filed in Employee\n           Performance Files.\n\n   Finding No.3           Controls Over Sensitive Data Needed Improvement\n\n   We concur with the finding and recommendations.\n\n   3.1 \t   "Develop rules of behavior for FPPS users that include the use of a signature page to\n           acknowledge and understanding of behavior responsibilities. Ensure that all current\n           FPPS users complete the developed form, and that a process is implemented to ensure all\n           new users sign the forms prior to obtaining access to the system"\n\n           Corrective Action: Rules of behavior for FPPS users, including a signature page has\n           been developed and will be reviewed by the Director, HRS, before implementation with\n           current FPPS users. A process will be implemented to ensure all new users sign the non\xc2\xad\n           disclosure form prior to obtaining access to FPPS.\n\n   3.2 \t   "Develop FPPS user account monitoring procedures to ensure that Executive Offices\n           periodically review and confinn the need for user accounts within their organization."\n\n           Corrective Action: Procedures have been developed to ensure that Executive Offices\n           periodically review and confirm the need for user accounts within their organi zation.\n           During the month of July, 50 user accounts were identified and deleted. At this time there\n           are no user accounts that require deletion.\n\n   3.3 \t   "Ensure that those users identified as not needing access to FPPS are deleted."\n\n           Corrective Action: The 103 FPPS user accounts identified in Attachment 4 of the draft\n           audit report have been deleted. At this time there are no additional user accounts that\n           require deletion.\n\n\n   Attachments\n\x0c                                                                                                                                                                                                                                 "\n\n~\na;\ng.\n3\n                       PO Usage of Performance Appraisal System                                                                                                                                                                       \'.\n\nco\n:?\n~\n                                         1/1 /03 - 4130103 Rating Cycle All POs - Preliminary Data\n                   This chart identifies the percentage of ED PAS employees who have received a rating of record of "Outstanding", " Highly \n\n                   Successful" "Successful", " Minimally Successful", or "Unacceptable" by PO. This is a metric contained in Objective 6.2. \n\n\n                             100                                                                        91l                         98    22.                        M                   Qfi         u<\n\n\n\n\n                                                   80\n                                  )(iI   I   1_\n     ."\n          ...\n          0\n          <.J\n\n      \'"\n     IX\n     \'\xc2\xad\n      0\n          \'"\n          OJ)\n\n         ~\n          =\n     IX  \'"\n     \xc2\xad\n     -=\n          ~\n         \'""\n         ....\n         \'"\n     .\xc2\xa3\n          Q,\n         5\n     ~\n \'\xc2\xad\n  0\n          \'"\n         OJ)\n\n     ~\n         \'="                             I -       I I   0\n\n         .,...\'"                                                                                                         \xc2\xab                ...                                   ...Cl                \xc2\xab\n                                                               c<                                                                   \xc2\xab\n                                                                                                                                                       ...0\xc2\xab\n                                              Cl                                    0                   til     0                         0     ::;:                                           OJ                 Ul\n\n                                                                                              8\n                                                         til            til                                                                                          OJ                  til\n         <.J\n                                                   (:3                  ::>                                                                                          c.\n                                                                                                                                                                                til\n                                                                                                                                                                                                            is    \xc2\xab\n c..\n                                              Ul         Cl\n                                                         0     ~        0           is                  \'"\n                                                                                                        Ul\n                                                                                                        til\n                                                                                                        0\n                                                                                                                ~\n                                                                                                                        u\n                                                                                                                        ...l\n                                                                                                                        0\n                                                                                                                                    is    ~\n                                                                                                                                                0      til\n                                                                                                                                                                     0\n                                                                                                                                                                                til\n                                                                                                                                                                                0\n                                                                                                                                                                                         !!l   til\n                                                                                                                                                                                               OJ\n                                                                                                                                                                                               0\n                                                                                                                                                                                                     ...l\n                                                                                                                                                                                                     Ul\n                                                                                                                                                                                                     0\n                                                                                                                                                                                                                  >\n                                                                                                                                                                                                                  0\n\n Employees\n EligIble to l 4.20 I                        113   90    661    37            266        98       332         104   19         93        274    179        1.050          231           45     171   195     42       87   114\n    be rated\n Employees                   3 77\n                   rated l    \xe2\x80\xa2     I        90    0     590        0         249        90       325         95    6          92        272    169            983        219           32     165   179     40       68   107\n\n\nData Source: Federal Personnel Payroll System (FPPS) R eport BR02339_Status_ v6 as 0/912712003. Excludes pay plans ED, EF, EH, EI, ES, EX, ZZ; excludes employees\n                                                       with <1=120 on the j ob /orrating date equal to 4130103.\n\x0c'